SAP Cyber Threat Intelligence report – July 2018

The SAP threat landscape is always expanding thus putting organizations of all sizes and industries at risk of cyber attacks. The idea behind the monthly SAP Cyber Threat Intelligence report is to provide an insight into the latest security vulnerabilities and threats.

Key takeaways

This month, the vendor releases a record-breaking number of security notes for 2018. The recent patch update consists of 34 patches with the majority of them rated medium.

The most common vulnerability type is Implementation Flaw.

SAP Security Notes – July 2018

SAP has released the monthly critical patch update for July 2018. This patch update closes 34 SAP Security Notes (8 SAP Security Patch Day Notes and 26 Support Package Notes). 7 of all the patches are updates to previously released Security Notes.

19 notes are released after the second Tuesday of the previous month and before the second Tuesday of this month.

In July, Implementation Flaw is the largest group in terms of the number of vulnerabilities.

SAP Security Notes Distribution by Vulnerability Type – July 2018

SAP users are recommended to implement security patches as they are released as it helps protect the SAP landscape.

Critical issues closed by SAP Security Notes in July

The following SAP Security Notes can patch the most severe vulnerabilities of this update :

2652578: SAP ABAP has an Missing Authorization check vulnerability (CVSS Base Score: 6.4CVE-2018-2436 ). An attacker can use a Missing authorization check vulnerability to access a service without any authorization procedures and to use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks.
Install this SAP Security Note to prevent the risks.

2620738: SAP CrystalReports has a Command Injection vulnerability (CVSS Base Score: 6.3CVE-2018-2427). An attacker can use OS command execution vulnerability for unauthorized execution of operating system commands. Executed commands are launched with a same privileges of a service that executed a command. It’s possible to access arbitrary files and directories located in a SAP-server file system including application source code, configuration, and critical system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system.
Install this SAP Security Note to prevent the risks.

2624762: SAP CrystalReports has a Cross-Site Scripting (XSS) vulnerability (CVSS Base Score: 6.1CVE-2018-2431﻿ ). An attacker can use Cross-Site Scripting vulnerability and inject a malicious script into a page.
Reflected XSS feature is necessary for tricking a user – the attacker makes the user to follow specially crafted link. Speaking about stored XSS, malicious script is injected and permanently stored in a page body, this way user is attacked without performing any actions.
The malicious script can provide access to all cookies, session tokens and other critical information stored by browser and used for interaction with a site. The attacker can gain access to the user’s session and learn business-critical information, in some cases it is possible to get control over it. XSS can be used for unauthorized modifying of displayed site content.
Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in three months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.